WannaCry, Cyber Security and Data Protection

Post navigation

By now we are all familiar with the aptly-named WannaCry computer virus and the extensive chaos it has brought. Not only have hospitals and other healthcare providers suffered with cancelled operations and GP appointments, victims include telecoms operators, car assembly factories, university labs and public transport systems in over 150 countries.

What makes this attack interesting from a data protection perspective is that it underscores the need for organisations and businesses to keep their IT operating systems current and updated.

Back in March this year Microsoft announced that their operating systems were susceptible to a vulnerability, and offered a “patch” (think plaster over a cut except this is for computer programs) to cure the problem.

If an organisation updated itself in accordance with the software manufacturer’s instructions, the vulnerability would have been remedied and no damage would have been suffered.

On the other hand if an organisation did not update its systems and was hacked, this is likely to be a determining factor when establishing whether data protection obligations have been breached, especially when the vulnerability was announced and a readily available patch issued.

In addition we now know that some organisations, including over 40 NHS Trusts, continue to run on out-dated operating systems – crucially these are no longer supported or updated by Microsoft and no patch was available.

Questions will be asked why hospitals (which process sensitive data) are using unsupported and out of date operating systems which leave them particularly vulnerable to viruses.

The UK’s Information Commissioner Office which oversees data protection compliance in the UK has been quick to issue a statement making it clear that an open mind is being kept as to what steps it may take once the dust settles if breaches of data protection are found.

No doubt tough questions are going to be asked all round and if you are a data controller you will need the right answers.

One of the main obligations under data protection legislation is that personal data must be processed securely. However there is no “one size fits all” solution and no organisation can be 100% safe from cyber attack. If the Pentagon has in the past been hacked by a teenager in his bedroom, then it is safe to say that the potential exists for most, if not all, organisations.

What is important from a data protection perspective is to be able to demonstrate that the organisation has taken reasonable organisational and technological steps to safeguard its personal data taking into account:

the nature of the data they process;

the harm which might result from accidental or unlawful loss, destruction, disclosure or access to it; and

the state of available technology and the cost of implementing it

It is important to understand that the Cyber Security measures expected will be different for each data controller, depending on the type of data they process – the more sensitive the data, the higher the threshold. As technology evolves, so too will the security requirements. Protection measures which were good 6 months ago, may no longer be good in 6 months time. Cyber Security is therefore a constantly moving target.

One of the lessons of the WannaCry outbreak is that it will reinforce the need for IT departments to keep on top of developments, react accordingly and keep their operating systems current, with appropriate safeguards in place including the use of continuous back up systems.

Make no mistake data protection is now serious business with offending organisations being fined substantial amounts of money.

Sony were fined £250,000 when their Playstation Network Platform was hacked in 2011 and telecoms operator TalkTalk £400,000 in 2013 for a similar hack. Google Spain have also been fined an eye watering total of €900,000 for a number of privacy breaches.

If you think that’s bad, think again as fines are being taken up to a whole new level when the European General Data Protection Regulation (GDPR) comes into force in May 2018.

Under the GDPR fines for serious breaches will be increased to a jaw-popping maximum of €20m or 4% of a group’s turnover (whichever is the highest). Increased compensatory rights for individuals who suffer damage are also being introduced, meaning that organisations should not discount the increased prospect of also having to deal with third party actions where non compliance causes damage to individuals.

As Microsoft said in the aftermath of the outbreak, “WannaCry is a wake-up call”.

Organisations and businesses who fail to keep abreast of organisational, technological and legal developments will quickly find themselves at the wrong end of an investigation, with the possibility of hefty fines being imposed and having to defend third party compensation claims.

Michael Nahon is a Partner at Hassans International Law firm, and specialises in Data Privacy. He regularly advises multinational corporations as well as the local gaming and banking sectors on their Gibraltar data protection obligations. Michael also conducts data protection audits to assist clients in understanding their data protection obligations and develop means by which to ensure compliance. He is a contributing author to DLA’s Data Protection Laws of the World Handbook, PDP Journals and DataGuidance.

Activity Stream

On 9th Jan 2019 the European Securities and Markets Authority (ESMA) published their guidance on “Initial Coin Offerings” and “Crypto-Assets”.
Get a quick and concise overview with the key takeaways in this summary by Hassans’ Associate @RoyBalestrino : https://t.co/xuOJsL8V3Z

We are delighted to be sponsors of this year’s Young Enterprise Gibraltar scheme helping young people to harness their personal and business skills. Mark Okes-Voysey is acting as a Business Adviser and mentor to a team of young entrepreneurs. #youngentrepreneurs#gibraltarpic.twitter.com/jEj6Mm1RcH

Register with us on a no-obligation, no upfront costs basis for preliminary guidance from our property specialists if you are applying for the new affordable housing, Hassan Centenary Terraces. See ad below for details. pic.twitter.com/Nv274IuVXy

Season's Greetings from Hassans! Our offices will be closed from midday on Thur 20th Dec reopening on Fri 21st & from midday on Mon 24th reopening on Thur 27th Dec. Wishing you and yours the best this holiday season and a peaceful and prosperous New Year. https://t.co/vfcCnPqkNI

You can find out more about which cookies we are using or switch them off in settings.

Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

You can adjust all of your cookie settings by navigating the tabs on the left hand side.

Strictly Necessary Cookies

Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.

If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.

disable

3rd Party Cookies

This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.

Keeping this cookie enabled helps us to improve our website.

disable

Please enable Strictly Necessary Cookies first so that we can save your preferences!